ElearnSecurity Web application Penetration Tester (eWPT) review

eWPT logo

Context

I passed eLearnSecurity eJPT’s certification a couple of months ago and decided to take some more certifications from this company, in accordance with that, my employer paid me a yearly subscription to their learning plateform INE. Cost is $750 a year, plus $400 for most (any?) certification exams. But there is a reduction on the first one you take with the yearly subscription so I ended up paying only 200 dollars for this one.

So the price for someone joining eLearnSecurity INE plateform and passing the eWPT as a new member is $750 + $200 = $950. But that gives you access to all the courses for a year so the more courses you take and certifications you pass from them, the more you get for your money.

One of the interesting skills I need everyday on my job is web penetration testing so I enrolled for the Web Application Penetration Tester path (WAPT) and the associated Web Penetration Tester certification (eWPT). I looked up other certifications than the ones from eLearn and there is little. However there is a lot of free material on the web amongst which:

I successfully passed the exam a few days ago after around two months working on the course part-time, mostly in the evenings and weekends.

The following lines are subjective and I invite anyone reading it to also read other opinions on the certification to get a good picture of it.

Format

As usual for eLearn courses, the format is a mix between slides presentations, videos and practical “labs” which consist in a virtual environment you can access through a VPN connection. It alternates well between “theory times” consisting in reading and watching and practice through the labs.

Amongst the labs, there are classic, guided exercices and “challenges” labs that goes further on the theory notions seen and for which no solution is provided.

I find this format to be a very efficient way of learning, both because concepts are repeated in slides and in videos and also because the labs provide you very practical knowledge that serves in real engagements.

Course

Overall, I found the course to be very good. Information is relevant, accurate and there is a good mix between the theory and the practice.

However, and that is due to the age of the course, some parts are outdated. As an example, the Content Security Policy (CSP) feature of modern browsers evolved a lot these last few years and the course do not feature all of it. Moreover, you will not find anything on how to pentest a GraphQL API for example.

I had issues accessing the old WAPT forums but I wrote to eLearnSecurity support and they promptly granted me access to it.

The course teaches, amongst others, the following technical notions:

  • Arbitrary file upload
  • Authentication issues
  • Authorization issues
  • CMS attacks (Wordpress, Joomla)
  • Clickjacking
  • CSRF
  • Fingerprinting
  • Flash
  • HTML5
  • HTTP response splitting
  • LFI/RFI
  • NoSQL injections
  • REST APIs
  • SQLi
  • Sessions issues
  • Subdomains enumeration
  • Web services (SOAP etc)
  • XPath
  • XSS

And others. But more than anything it teaches you how to organize and perform a web application penetration test with skills such as:

  • Reporting.
  • What to look for first.
  • What a web pentest scope is.
  • How to mitigate risks.

Which, in my humble opinion, is what you should seek for in such certifications: methodology.

Exam

The exam is a black-box web application penetration test for which you need to apply the notions learnt during the course and hand back a report featuring all the vulnerabilities you could find.

There is no surprise of any kind in it, all vulnerabilities I could find were covered by the course.

There is seven days of access to the virtual exam environment and seven more days for you to redact the report and hand it back.

The exam is no jokes and time-limited, pressure will be there so be ready.

I am working full-time, I thus started a friday when off to get three full days as a start. The following week, I was working during the day and doing the exam in the evenings.

I stopped the exam and handed out the report after six days. Do not take this number as a rule, everyone is different.

I suggest to not underestimate the time it takes to report your findings. I probably spent as much (if not more) time writing and arranging the report as I did finding vulnerabilities.

A piece of advice

For the course:

  • Do not skip any labs.
  • Do all the challenges.
  • Take notes of interesting tools/links/ressources given
  • Go further than asked by exploring web-related subjects.

For the exam:

  • Have a cheatsheet ready
  • Do your reconnaissance.
  • Get a good snipping tool for screenshots.
  • If you are working, start on a friday night or a saturday morning.
  • Do the report as you go, not everything in the end.
  • Get food in your fridge.

References

Related Articles